Modern Hazel Buffalo
High
buyOrderFactory's changeOwner function is completely broken, forever blocking the ability to change the owner of the contract
Ever since the owner
is set during the buyOrderFactory
's contract construction, it can never be changed due to not using a locally-scoped _owner
variable as an argument in the changeOwner
function.
// file: buyOrderFactory.sol
function changeOwner(address owner) public {
require(msg.sender == owner, "Only owner");
require(deployedTime + 6 hours > block.timestamp, "6 hours passed");
owner = owner;
}
As you can see here, the owner
variable in the changeOwner
function's agruments "shadows" the global owner
variable in the storage.
- The comparison
owner == msg.sender
is absolutely wrong; - The global
owner
function can never be updated because theowner = owner
assignment just updates the localcalldata
owner
variable's value, and never touches theowner
that was declated in thebuyOrderFactory
's real storage.
None.
The current owner
address of the buyOrderFactory
contract intends to update the owner
, setting it to another address, via calling the changeOwner
function.
Whenever changeOwner
is called, it will likely just revert as the owner
passed in the arguments will barely ever be the msg.sender
(otherwise there'd be no sense in calling changeOwner
).
In any case, changeOwner
will either revert on the check (in 99,99% of the cases), or as long as owner
(which is supposed to be the "newOwner
" or _owner
in this context to locally scope it) just update the locally-scoped owner
variable (i.e. itself!).
There's no way to update the current buyOrderFactory
's owner
: the only way is through via changeOwner
, which is completely broken due to referring to a locally-scoped owner
variable (its own argument!), and shadowing the globally-scoped owner
due to the same naming of the variable.
In other words, changeOwner
is essentially a view-only pure function due to that aforementioned mistake.
function changeOwner(address owner) public {
require(msg.sender == owner, "Only owner");
require(deployedTime + 6 hours > block.timestamp, "6 hours passed");
owner = owner;
}
- function changeOwner(address owner) public {
+ function changeOwner(address _owner) public {
require(msg.sender == owner, "Only owner");
require(deployedTime + 6 hours > block.timestamp, "6 hours passed");
- owner = owner;
+ owner = _owner;
}